Effective Date: December 1st, 2024
1) Who We Are & Scope
Rizer Inc. (“Rizer,” “we,” “us,” “our”) operates https://rizer.io and related services (the “Website”).
This Privacy Policy explains how we handle personal data when we act as a Controller—for Website visitors, prospects, marketing communications, support interactions, and product telemetry.
When we process Customer CRM data inside the Rizer platform, we act as a Processor/Service Provider under our customers’ instructions. That processing is governed by our Data Processing Agreement (DPA).
2) Data We Collect (Controller Context)
- Account & contact data: name, email, company, role, preferences; billing details for paid plans.
- Website & product telemetry: page views, events, timestamps, IP address, device/browser, approximate location (from IP), session identifiers.
- Marketing & sales: form submissions, webinar/event registrations, campaign engagement, newsletter preferences.
- Support: tickets, attachments, chat or call transcripts/recordings (see §9).
- Cookies & similar technologies: see §5 (Cookies, CMP & GPC).
We ask you not to submit sensitive categories (e.g., health, biometrics). We do not create or store biometric identifiers (e.g., voiceprints).
3) How We Use Your Data & Legal Bases (EEA/UK)
- Provide, secure, and troubleshoot the Website and services (contract; legitimate interests).
- Analytics and product improvement (consent where required; otherwise legitimate interests).
- Communications & support (contract/legitimate interests; consent where required).
- Marketing (consent where required; opt-out anytime).
- Compliance, fraud prevention, and legal requests (legal obligation/legitimate interests).
4) Your Choices & Rights
Depending on your location, you may have rights to: access, correct, delete, restrict/opt-out, object, portability, and withdraw consent.
- How to submit a request: email support@rizer.io or use available in-app/website forms.
- Verification: we may request information to confirm your identity.
- EU/UK: you may lodge a complaint with your supervisory authority.
- US (CA/CO/CT/VA/UT/TX): you may exercise state privacy rights; if we deny, you may appeal by replying to our decision.
5) Cookies, CMP & Global Privacy Control (GPC)
We use a Consent Management Platform (CMP). In the EEA/UK, non-essential cookies/tags load only after consent. Choices can be updated anytime via Cookie Settings.
We honor Global Privacy Control (GPC) signals. In supported jurisdictions:
- US → treated as opt-out of sale/share.
- EU/UK → treated as do-not-track/analytics preference.
Cookie categories:
- Strictly necessary (security, load balancing, consent storage).
- Analytics (usage measurement, diagnostics).
- Functional (preferences).
- Advertising (only if consented).
6) Analytics & AI Sub-Processors
- Google Analytics 4 via Google Tag Manager: used for usage analytics.
- In EEA/UK, runs only after consent.
- Retention: 14 months.
- Google acts under its Data Processing Terms and SCCs/DPF for transfers.
- AI Providers: To generate insights and recommendations, we send limited Customer Data (as described in the DPA) to:
- OpenAI
- Google Gemini (Google Cloud)
- Anthropic Claude
These providers act as sub-processors under the DPA.
7) Marketing Communications (Email/SMS/Calls)
- Email: truthful headers/subjects; one-click unsubscribe; unsubscribes honored within 10 business days (CAN-SPAM).
- SMS/Calls: only with express consent; we honor Do-Not-Call lists and time-of-day restrictions (TCPA).
- EU/UK: marketing is based on consent or legitimate interest.
- You can withdraw consent or update preferences anytime.
8) What We Share (Controller Context)
We may share personal data with:
- Service providers (hosting, analytics, AI, support, communications, billing).
- Professional advisors (legal, accounting) and authorities as required by law.
- Business transfers (e.g., merger/acquisition).
We do not sell personal information. If cross-context advertising is ever enabled, we will update this Policy and provide a “Do Not Sell or Share” link (and honor GPC).
9) Call Recording & Transcripts (Support/Sales)
Calls may be recorded or transcribed with notice and logged consent. Used for support quality and training. Retained only as needed. We do not create/store biometric identifiers (voiceprints).
10) Retention
- Website analytics: up to 14 months (GA4).
- Support records: typically up to 24 months.
- Backups: rolling window ≤35 days.
- Billing/tax records: up to 7 years.
- Limited data may be retained for legal obligations or disputes.
11) Security
We use industry-standard safeguards: encryption (in transit & at rest), MFA and role-based access, logging, vulnerability management, incident response. No system is 100% secure—please protect your credentials.
12) International Transfers
When data is transferred outside the EEA/UK/Switzerland, we use SCCs, the EU/UK/Swiss–US Data Privacy Framework, or equivalent safeguards. For Customer Data, see our DPA.
13) Children
Our Website is not directed to children under 16. If we learn we collected data from a child, we will delete it.
14) CPRA/CCPA – Notice at Collection (Controller Context)
We do not sell or share personal information as defined by CPRA, unless advertising features are explicitly enabled (default = off). If that changes, we will provide a “Do Not Sell or Share” link.
Summary Table:
| Category | Examples | Purpose(s) | Retention | Sold/Shared? |
|---|---|---|---|---|
| Identifiers | Name, email, IP, device ID | Account, support, marketing | Account life + 14m analytics | No |
| Internet/Network | Page views, referrers | Analytics, diagnostics | 14m (GA4) | No |
| Commercial/Billing | Subscription, payments | Billing, compliance | Up to 7y (tax) | No |
| Geolocation (coarse) | City/region from IP | Fraud/security, analytics | 14m | No |
| Inferences (limited) | Feature adoption | Product improvement | 12m | No |
Rights: access, delete, correct, opt-out of sale/share or targeted advertising (if enabled), limit sensitive PI (we don’t intentionally collect in controller context). Submit requests to support@rizer.io. We honor GPC.
15) Controller vs. Processor Reminder
This Policy covers our controller activities (Website, marketing, support, telemetry). Processing of Customer CRM data in the platform is as a Processor/Service Provider and is governed by the DPA.
16) Changes
We may update this Policy. We’ll post a new “Last Updated” date and, for material changes, provide notice (e.g., email or in-product). Continued use means acceptance.
17) Contact
Rizer Inc.
2628 Maxwell Street
Philadelphia, PA 19152, USA
support@rizer.io | +1 (917) 300-1925